SystimaNX
Back to case studies
Pharma & Patient CareSaaS Application DevelopmentSecurity & Compliance

Regulated Patient & HCP Digital Portal

Building a high-accessibility digital platform that connects patients, family caregivers, and licensed healthcare professionals under FDA and HIPAA-aligned regulatory requirements, without slowing the pace of content publication.

FDA-aligned platform connecting patients to treatment information and caregiver support
Client
Confidential — Pharmaceutical / rare disease
Industry
Pharma & Patient Care
Timeline
7 months
Technologies
8+ tools

The Challenge

!The platform needed to serve three distinct audiences—patients, family caregivers, and licensed healthcare professionals (HCPs)—from a single codebase, with content that is strictly gated by role. Any leakage of prescriber-only dosing or off-label information into the patient-facing experience would create regulatory exposure, so the access model had to be enforced at the API layer, not just hidden in the UI.
!WCAG 2.1 AA accessibility compliance was a hard requirement, not a nice-to-have, because the rare-disease patient population includes many users with limited mobility, low vision, or cognitive fatigue from treatment. Existing internal prototypes had been built without accessibility in mind and would have required a near-total rebuild of the component library to retrofit.
!Every piece of patient-facing medical content had to pass through a multi-stage regulatory approval workflow involving medical, legal, and regulatory (MLR) reviewers before publication. The client's prior process ran this review over email and shared spreadsheets, routinely taking two to three weeks per content update and creating no reliable audit trail of who approved what version.
!Sensitive medical and personally identifiable data had to be handled under HIPAA-aligned controls, including encryption, field-level access restrictions, and detailed audit logging, even though the platform itself was not technically a covered entity. The client's compliance team required documented evidence of controls for their own audit purposes, not just a verbal assurance of best practice.
!Family caregivers needed a genuine peer-support community, but unmoderated forums in a rare-disease context carry real risk: users sharing unverified treatment advice, emotional crisis disclosures, or inadvertent protected health information in public posts. The client needed automated flagging plus a trained human escalation path, not just a report button that goes nowhere.
!The organization operated across multiple countries with different regulatory bodies (FDA in the US, plus emerging requirements in other markets), meaning content localization and region-specific approval gates had to be built into the same pipeline rather than bolted on later as separate systems.
!Internal IT had no existing DevOps practice for this kind of regulated SaaS product, so the platform needed infrastructure that could demonstrate uptime, disaster recovery, and change-control evidence to auditors on demand, without requiring the client to hire a dedicated platform engineering team.
!The seven-month timeline was fixed to align with a planned treatment announcement, leaving no room for the accessibility audit, security review, or MLR sign-off to slip without jeopardizing the launch date entirely.

Our Solution

We designed a dual-audience, role-gated architecture from day one, enforcing patient, caregiver, and HCP content boundaries at the API and database query layer using scoped tokens and row-level permissions, rather than relying on frontend routing alone to hide restricted content.
The entire component library was built to WCAG 2.1 AA from the first sprint, including full screen reader compatibility, complete keyboard navigation, high-contrast display modes, and adjustable text sizing, validated continuously with automated accessibility linting in the CI pipeline rather than as a final pre-launch check.
We replaced the email-based MLR review process with a structured digital content pipeline featuring staged approval gates, reviewer assignment, inline commenting, and immutable version history, so every published page carries a traceable record of who approved which version and when.
HIPAA-aligned data handling was implemented at the infrastructure level: encryption at rest and in transit, field-level access controls tied to user role, and comprehensive audit logging of every read and write to sensitive records, giving the compliance team exportable evidence for their own audits.
A moderated caregiver community module was built with automated keyword and sentiment flagging, a human moderation queue with defined SLAs, and enforced safe-messaging guidelines that prevent unverified medical claims from remaining visible without review.
We architected the content pipeline with region-aware approval gates from the outset, so localized content variants route to the correct regulatory reviewers for each market without requiring separate platforms or duplicated codebases.
The platform was deployed on a multi-region, active-passive AWS infrastructure managed through Terraform, giving the client automated failover, documented disaster recovery procedures, and infrastructure-as-code change history that satisfies audit requirements without an in-house platform team.
We ran a phased delivery plan against the fixed seven-month deadline, front-loading the accessibility audit and security review into months four and five so that any remediation work had a full buffer before the MLR sign-off and launch date.

Measurable Impact

Accessibility standard
WCAG 2.1 AA

Full compliance independently verified by a third-party accessibility audit prior to public launch.

Content approval cycle
60% faster

Staged digital review workflows replaced manual email-based MLR chains, cutting weeks-long delays to days.

Uptime SLA
99.9%

Multi-region active-passive deployment with automated failover met the client's clinical-grade availability commitment.

Data compliance
HIPAA-aligned

All patient and caregiver data encrypted at rest and in transit, access-controlled by role, and fully auditable.

Delivery timeline
7 months, on schedule

Launch shipped on the date tied to the client's public treatment announcement, with no slippage on regulatory sign-off.

Audience segmentation
3 role-gated tiers

Patient, caregiver, and HCP experiences fully separated at the API layer with zero reported content leakage post-launch.

Getting accessibility right in a regulated environment is genuinely hard, and getting the compliance evidence right alongside it is harder still. SystimaNX delivered a platform patients can actually use, our MLR reviewers trust, and our legal team signed off on without a single open item. That combination is rare.

V
VP Digital Health
Pharmaceutical Company (NDA)

Technology stack

Next.jsReactNode.jsPostgreSQLAWSTerraformWCAG toolingOkta
Book a consultation
Regulated Patient & HCP Digital Portal | Case Study | SystimaNX